Identity theft has established itself as the main initial access method for threat actors, according to CrowdStrike.
In its 2023 Threat Hunting Report published during Black Hat USA, CrowdStrike found that 80% of breaches now involved the use of compromised identities, of which 62% involved the abuse of legitimate accounts and 34% of domain or default accounts.
Adam Meyers, CrowdStrike’s senior VP of intelligence, estimated that advances in enterprise security, especially endpoint detection and response (EDR) solutions, “made it more difficult for threat actors, ransomware groups as well as nation-state groups, to accomplish their goals, bring their own tools and stay in one particular network without getting detected.”
For this reason, adversaries have largely turned to identity theft approaches for gaining initial access to networks, which can be classified into three categories:
- Social engineering techniques
- Credential stealing via infostealers and unprotected devices
- Credential collecting (e.g. from compromised or leaked databases)
For instance, CrowdStrike observed a 160% increase in attempts to gather secret keys and other credential materials via cloud APIs compared with 2022.
Other findings include a staggering 583% jump in kerberoasting, a type of attack that targets the Kerberos authentication protocol used by Microsoft Active Directory where the attacker impersonates the user and gains access to sensitive resources, and a 300% increase in the use of remote management tools for malicious purposes.
Further Investment in Identity Security Needed
“Once they’re in the network, rather than bringing tools that might be detected by EDRs, threat actors are increasingly using living-off-the-land techniques, such as using PowerShell,” Meyers said.
Additionally, ransomware actors are turning from sophisticated data encryption schemes to simpler, more profitable double extorsion attacks – sometimes even dropping the encryption step altogether.
“These latter attacks don’t require sophisticated tools,” Meyers added.
According to Meyers, the report findings should act as a wake-up call for defenders to further invest in identity security solutions.